Sign up or log in to save this to your schedule and see who's attending!

When Keystone was first incubated, roles were global. Roles were later scoped to projects, but policy files have not kept up with this,. The Goal of the Dynammic Policy discussions has been to make policy better match the requirements of scaling delegation decisions in cloud, but have thus far been limited by the static nature of policy files. Lets fix this.

One of the biggest problems is global Admin; a user assigned admin in any role gets admin everywhere. We can fix parts of this in Keystone, but, again, it needs a crossproject effort to wipe out global admin. Blueprints: keystone/dynamic-policies-delivery